3

Since a few days ago a lot of Windows servers on a corporate domain started to have almost 100% CPU usage. All of them are on VMWare Hosts and even there we can see the 100% CPU usage on the host level.

I've have checked:

  • Changed GPOs on the day we saw first spike, nothing was changed.
  • All software that is distributed centrally, like Antivirus. Uninstalled AV completely for testing on a few servers.
  • Ruled out Virtual problems and started looking to a bare metal server.

The behavoir is exactly as the subject says. If I look at graphs right now, no one is logged in I see the load is around 90% all cores are crazy. If I log in I see everything normal, all cores come to normal usage, 5-8%.

This happens on multiple OS versions, Windows Server 2008R2, 2012R2, 2016. Some with SQL Server.

Btw, RDS servers don't have this problem. CPU usage is normal and graph is the same as it was when problem showed on all the others.

rgomez
  • 153
  • 1
  • 2
  • 10
  • 2
    It's fairly simple to find out which process or service is the culprit. Launch Task Manager and take a look at the Processes tab, sort by the CPU column so that the process with the highest CPU percentage is on top, right click that process and select "Go to details" in the context menu. Troubleshoot from there. – joeqwerty Dec 22 '17 at 14:27
  • and which process causes the CPU usage? – magicandre1981 Dec 24 '17 at 13:15
  • Your servers just mines bitcoins. – kakaz Dec 24 '17 at 15:01
  • 1
    Agreed with magicandre, what about the process which causes CPU usage? If it is svchost.exe, you can try this topic, it can help. https://community.spiceworks.com/topic/321270-svchost-exe-high-cpu-usage-now-what – Stuka Dec 26 '17 at 14:14
  • Just found that a specific svchost.exe is consuming CPU, if I suspend it the CPU usage gets normal. I've used ProcessExplorer but I can't find what this process is doing in fact. Any way how? – rgomez Jan 03 '18 at 13:59

1 Answers1

1

Use one of the may remote task monitors and check the process causing this. Then stop mining.

bjoster
  • 4,805
  • 5
  • 25
  • 33